This is an automated email from the ASF dual-hosted git repository.
albumenj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo-website.git
The following commit(s) were added to refs/heads/master by this push:
new cd1be029d5a Update security docs (#2878)
cd1be029d5a is described below
commit cd1be029d5adb3ac398a09ca4e5f3da2a55b7323
Author: Albumen Kevin <[email protected]>
AuthorDate: Fri Dec 15 14:39:05 2023 +0800
Update security docs (#2878)
* Update security docs
* Update security docs
* Update security docs
---
content/en/blog/security-notices/_index.md | 9 --
content/en/blog/security-notices/security.md | 116 ---------------------
.../security-notices/serialization-security.md | 20 ----
content/en/overview/notices/_index.md | 9 ++
content/en/overview/notices/log4j.md | 53 ++++++++++
content/en/overview/notices/protocol.md | 35 +++++++
content/en/overview/notices/registry.md | 26 +++++
content/en/overview/notices/serialization.md | 60 +++++++++++
content/zh-cn/blog/notices/_index.md | 7 --
.../zh-cn/blog/notices/serialization-security.md | 17 ---
content/zh-cn/overview/notices/_index.md | 10 ++
.../security.md => overview/notices/log4j.md} | 32 ++----
content/zh-cn/overview/notices/protocol.md | 34 ++++++
content/zh-cn/overview/notices/registry.md | 26 +++++
content/zh-cn/overview/notices/serialization.md | 60 +++++++++++
layouts/partials/footer.html | 2 +-
16 files changed, 320 insertions(+), 196 deletions(-)
diff --git a/content/en/blog/security-notices/_index.md
b/content/en/blog/security-notices/_index.md
deleted file mode 100644
index 494cef2bc95..00000000000
--- a/content/en/blog/security-notices/_index.md
+++ /dev/null
@@ -1,9 +0,0 @@
-
----
-type: docs
-title: "Security notices"
-linkTitle: "Security notices"
-description: "Dubbo security notices"
-weight: 90
----
-
diff --git a/content/en/blog/security-notices/security.md
b/content/en/blog/security-notices/security.md
deleted file mode 100644
index c8690882fad..00000000000
--- a/content/en/blog/security-notices/security.md
+++ /dev/null
@@ -1,116 +0,0 @@
-
----
-type: docs
-title: "Security"
-linkTitle: "Security"
-description: "Dubbo Security information, such impact of vulnerabilities in
upstream components"
-weight: 90
----
-
-## Reporting security issues
-
-The Apache Software Foundation takes a very active stance in eliminating
security problems and denial of service attacks against its products.
-
-We strongly encourage folks to report such problems to our private security
mailing list first, before disclosing them in a public forum.
-
-Please note that the security mailing list should only be used for reporting
undisclosed security vulnerabilities and managing the process of fixing such
vulnerabilities. We cannot accept regular bug reports or other queries at this
address. All mail sent to this address that does not relate to an undisclosed
security problem in our source code will be ignored.
-
-If you need to report a bug that isn't an undisclosed security vulnerability,
please use the bug reporting page.
-
-The private security mailing address is: [email protected]
-
-For more information about how the ASF deals with security potential problems
see https://www.apache.org/security/
-
-## Security issues in dependencies
-
-### Log4j CVE-2021-44228
-
-Recently, the mainstream log framework
[log4j2](https://logging.apache.org/log4j/2.x/) was reported with a severe
security vulnerability
[cve-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
-
-The following is a summary of the impact of this vulnerability cve-2021-44228
on the Apache Dubbo framework and the user's guide.
-
-#### Potential Influence on Dubbo
-
-**CVE-2021-44228 has no security impact on use of Dubbo framework**
-
-Dubbo itself does not rely on the log4j2 framework, nor will it bring log4j2
to the project through dependency transfer. Therefore, Dubbo users of version
2.7.x and 3.0.x do not need to upgrade their Dubbo versions.
-
-The following is the dependency analysis of Dubbo components on log4j2,
involving `Dubbo common`, `Dubbo spring boot starter` and `Dubbo spring boot
actuator`:
-
-* `dubbo-common` optionally depends on `log4j-core`. The only need to check is
whether the project itself has enabled log4j dependency. If so, upgrade
accordingly.
-
-```xml
-[INFO] --- maven-dependency-plugin:3.1. 2:tree (default-cli) @ dubbo-common ---
-[INFO] org. apache. dubbo:dubbo-common:jar:2.7. 14-SNAPSHOT
-[INFO] +- org. apache. logging. log4j:log4j-api:jar:2.11. 1:provided
-[INFO] \- org. apache. logging. log4j:log4j-core:jar:2.11. 1:provided
-```
-
-* `dubbo-spring-boot-starter` transfers log4j-api dependency through
spring-boot. log4j-api itself has no security issue. But pay attention to
compatibility with log4j-api when upgrading the log4j-core component
-
-```xml
-[INFO] org. apache. dubbo:dubbo-spring-boot-starter:jar:2.7. 14-SNAPSHOT
-[INFO] \- org. springframework. boot:spring-boot-starter:jar:2.3.
1.RELEASE:compile (optional)
-[INFO] \- org. springframework. boot:spring-boot-starter-logging:jar:2.3.
1.RELEASE:compile (optional)
-[INFO] \- org. apache. logging. log4j:log4j-to-slf4j:jar:2.13. 3:compile
(optional)
-[INFO] \- org. apache. logging. log4j:log4j-api:jar:2.13. 3:compile (optional)
-```
-
-* `dubbo-spring-boot-actuator` transfers log4j-api dependency through
spring-boot. log4j-api itself has no security issue. But pay attention to
compatibility with log4j-api when upgrading the log4j-core component
-
-
-```xml
-[INFO] org. apache. dubbo:dubbo-spring-boot-actuator:jar:2.7. 14-SNAPSHOT
-[INFO] \- org. springframework. boot:spring-boot-starter-web:jar:2.3.
1.RELEASE:compile (optional)
-[INFO] \- org. springframework. boot:spring-boot-starter:jar:2.3.
1.RELEASE:compile
-[INFO] \- org. springframework. boot:spring-boot-starter-logging:jar:2.3.
1.RELEASE:compile
-[INFO] \- org. apache. logging. log4j:log4j-to-slf4j:jar:2.13. 3:compile
-[INFO] \- org. apache. logging. log4j:log4j-api:jar:2.13. 3:compile
-```
-
-## Security Model
-
-### Third-party Deserialization Library Vulnerabilities
-
-Dubbo supports the extension of serialization protocol. Theoretically, users
can enable serialization protocol with arbitrary order based on the extension
mechanism, which brings great flexibility, but at the same time, they should be
aware of the potential security risks.
-Data deserialization is one of the most vulnerable links to be exploited by
attackers. Attackers use it to steal or destroy server-side data, such as rce
attack.
-Before switching the serialization protocol or implementation, the user should
fully investigate the security guarantee of target serialization protocol and
its framework implementation, and set corresponding security measures in
advance (such as setting Black / white list). The Dubbo framework itself cannot
guarantee the security of the target serialization mechanism.
-
-Dubbo 2.7 The official version provides the following serialization protocols:
-* Hessian2
-* Fastjson
-* Kryo
-* FST
-* JDK
-* Protostuff/Protobuf
-* Avro
-* Gson
-
-For the above serialization extension, after finding or receiving the relevant
vulnerability report, Dubbo will follow up and upgrade to the latest security
version, but the final vulnerability repair scheme depends on the serialization
framework implementation.
-> For users using [dubbo
hessian2](https://github.com/apache/dubbo-hessian-lite/releases), Dubbo will
guarantee the security of Hessian 2 serialization mechanism and repair the
reported security vulnerabilities as much as possible
-
-If you have any questions or security issues, please send mail to here
[email protected]
-
-#### Some suggestions to deal with the security vulnerability of
deserialization
-
-* External network access restrictions
-
-According to the research, most of the existing deserialization utilization
chains need to load malicious classes remotely. If there is no special
requirement, it is recommended to configure the server out of the Internet
without affecting the business.
-
-* IP white list
-
-It is suggested that the Server developer add the consumer IP that can connect
to the Dubbo server to the trusted IP white list, and configure the trusted IP
white list on the server to prevent the attacker from directly initiating the
connection request externally.
-
-* More secure deserialization
-
-The protocol and deserialization method can be changed without affecting the
business, such as rest, grpc, thrift, etc.
-
-* Close the public network port
-
-Do not expose the open port of Dubbo server to the public network. But pay
attention to the exceptional, if the attacker is in the Intranet environment,
he can still attack.
-
-* Enable filtering of incoming serialization data for Java default
serialization
-Remember to configure filtering rules before enabling Java default
serialization.
-This feature is first supported in JDK 9 and has been back-ported to JDK 8, 7,
and 6.
-https://docs.oracle.com/javase/10/core/serialization-filtering1.htm#JSCOR-GUID-3ECB288D-E5BD-4412-892F-E9BB11D4C98A
-http://openjdk.java.net/jeps/290
diff --git a/content/en/blog/security-notices/serialization-security.md
b/content/en/blog/security-notices/serialization-security.md
deleted file mode 100644
index 1ce62dba500..00000000000
--- a/content/en/blog/security-notices/serialization-security.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-title: "Serialization Protocol Security"
-linkTitle: "Serialization Protocol Security"
-weight: 1
-tags: ["Security Vulnerabilities"]
-description: "Safer use of serialization protocols in Dubbo"
----
-
-Dubbo 3 has enhanced the security aspects of serialization protocols and
recommends using the Triple protocol in non-Wrapper mode. This protocol is
secure by default but requires developers to write IDL files.
-
-In the Triple protocol's Wrapper mode, compatibility with other serialization
data is allowed, offering good compatibility. However, other protocols may have
deserialization security flaws. For the Hessian2 protocol, users who require
high-security attributes should enable whitelist mode according to the sample
code. The framework will enable blacklist mode by default to block malicious
calls.
-
-Using other serialization protocols is not recommended. When an attacker can
access the Provider interface, security flaws in other serialization protocols
may lead to command execution through the Provider interface.
-
-If you must use other serialization protocols and wish to maintain some level
of security, you should enable the Token authentication mechanism. This will
prevent threats to the Provider's security from unauthenticated and untrusted
request sources. When enabling Token authentication, you should also enable the
authentication feature in the registry.
-
-## Notice
-The following serializations are proved that not safe enough to transfer on
network and not recommend to use.
-- native-hessian
-- native-java (Java ObjectOutputStream and ObjectInputStream)
diff --git a/content/en/overview/notices/_index.md
b/content/en/overview/notices/_index.md
new file mode 100755
index 00000000000..5cbde6f93a2
--- /dev/null
+++ b/content/en/overview/notices/_index.md
@@ -0,0 +1,9 @@
+---
+title: "Security Notice"
+linkTitle: "Security Notice"
+description: "Dubbo Security Notice"
+aliases:
+ /en/docs/notices/security
+weight: 50
+type: docs
+---
diff --git a/content/en/overview/notices/log4j.md
b/content/en/overview/notices/log4j.md
new file mode 100755
index 00000000000..df732bf63e2
--- /dev/null
+++ b/content/en/overview/notices/log4j.md
@@ -0,0 +1,53 @@
+---
+title: "Log4j vulnerability impact"
+linkTitle: "Log4j vulnerability impact"
+description: "Log4j CVE-2021-44228 vulnerability impact"
+aliases:
+- /zh-cn/blog/1/01/01/Security Vulnerability/
+weight: 90
+type: docs
+---
+
+Recently, the mainstream logging component
[log4j2](https://logging.apache.org/log4j/2.x/) broke out [security
vulnerability
CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).
+
+The following is a summary of the impact of vulnerability CVE-2021-44228 on
the Apache Dubbo framework and user response guidelines.
+
+## Dubbo scope of influence
+
+**This vulnerability has no impact on the security of Dubbo framework. **
+
+Dubbo itself does not rely heavily on the log4j2 framework, nor does it bring
log4j2 to business projects through dependency transfer. Therefore, users who
are using Dubbo 2.7.x, 3.0.x and other versions do not need to be forced to
upgrade the Dubbo version.
+
+The following is an analysis of the dependence of Dubbo components on log4j2,
involving `dubbo-common`, `dubbo-spring-boot-starter`, and
`dubbo-spring-boot-actuator`:
+
+* dubbo-common includes an optional dependency on `log4j-core`. Please check
whether the log4j dependency is enabled in the project itself. If so, upgrade
accordingly.
+```xml
+[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @dubbo-common ---
+[INFO] org.apache.dubbo:dubbo-common:jar:2.7.14-SNAPSHOT
+[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.11.1:provided
+[INFO] \- org.apache.logging.log4j:log4j-core:jar:2.11.1:provided
+
+```
+
+* dubbo-spring-boot-starter passes the log4j-api dependency through the
spring-boot component. Log4j-api itself has no security issues. When upgrading
the log4j-core component, pay attention to compatibility with log4j-api.
+
+```xml
+[INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli)
@dubbo-spring-boot-starter ---
+[INFO] org.apache.dubbo:dubbo-spring-boot-starter:jar:2.7.14-SNAPSHOT
+[INFO] \-
org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:compile
(optional)
+[INFO] \-
org.springframework.boot:spring-boot-starter-logging:jar:2.3.1.RELEASE:compile
(optional)
+[INFO] \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile (optional)
+[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile (optional)
+
+```
+
+* dubbo-spring-boot-actuator passes the log4j-api dependency through the
spring-boot component. Log4j-api itself has no security issues. When upgrading
the log4j-core component, attention should be paid to compatibility with
log4j-api
+
+```xml
+[INFO] org.apache.dubbo:dubbo-spring-boot-actuator:jar:2.7.14-SNAPSHOT
+[INFO] \-
org.springframework.boot:spring-boot-starter-web:jar:2.3.1.RELEASE:compile
(optional)
+[INFO] \-
org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:compile
+[INFO] \-
org.springframework.boot:spring-boot-starter-logging:jar:2.3.1.RELEASE:compile
+[INFO] \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
+[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
+```
diff --git a/content/en/overview/notices/protocol.md
b/content/en/overview/notices/protocol.md
new file mode 100644
index 00000000000..9b31b73a401
--- /dev/null
+++ b/content/en/overview/notices/protocol.md
@@ -0,0 +1,35 @@
+---
+title: "RPC Protocol Security"
+linkTitle: "RPC protocol security"
+weight: 2
+description: "Use RPC protocol more securely in Dubbo"
+type: docs
+---
+
+Dubbo supports the extension of the RPC protocol. In theory, users can enable
any RPC protocol based on this extension mechanism. This brings great
flexibility, but at the same time, users must be aware of the hidden security
risks.
+
+The serialization protocols provided by the official version of Dubbo 2.7 are
as follows:
+* Dubbo
+* RMI
+* Hessian
+* Http/Rest
+* Webservice
+* Thrift
+* gRPC
+* …
+
+Starting from Dubbo 3.0, only the following serialization protocol support is
provided by default:
+* Dubbo
+* Triple/gRPC
+* Http/Rest
+
+The Triple, gRPC, Http, and Rest protocols are all built based on the HTTP
protocol. The format of the request can be strictly distinguished. For example,
the header is plain text to avoid risks such as RCE when reading the Token.
+For the Dubbo protocol, since it is designed based on TCP binary directly,
except for a few specific fields, it is written using the serialization
protocol. Therefore, if a risky serialization protocol is turned on, there will
still be risks such as RCE.
+For the RMI protocol, since it is based on the Java serialization mechanism,
there are risks such as RCE.
+For the Hessian protocol, because it is based on the Hessian serialization
mechanism, and the default Hessian protocol (non-Dubbo Shade's Hessian-Lite
protocol) cannot configure a black and white list and has no default black
list, there are risks such as RCE.
+
+1. If the user wants to use the Token authentication mechanism to prevent
unauthenticated and untrusted request sources from threatening the security of
the Provider, they should use protocols based on HTTP standard extensions such
as Triple to avoid security risks when reading token parameters.
+
+2. In particular, the Dubbo community **strongly does not recommend** exposing
the Dubbo protocol, RMI protocol, Hessian protocol and other protocols that are
not based on HTTP standard extensions to the public network environment,
because the original intention of the Dubbo protocol is to be used on the
intranet Provide high-performance RPC services in the environment, rather than
in the public network environment.
+
+3. If your application needs to expose public network access, the Dubbo
community recommends that you use the Triple protocol and avoid using
non-Protobuf mode or services based on Dubbo 3.3 and above that only expose
standard application/json format services.
diff --git a/content/en/overview/notices/registry.md
b/content/en/overview/notices/registry.md
new file mode 100644
index 00000000000..f3f21daa771
--- /dev/null
+++ b/content/en/overview/notices/registry.md
@@ -0,0 +1,26 @@
+---
+title: "Registration Center Security"
+linkTitle: "Registration Center Security"
+weight: 3
+description: "Use the registration center more safely in Dubbo"
+type: docs
+---
+
+Dubbo supports the extension of the registration center. In theory, users can
enable any registration center based on this extension mechanism. This brings
great flexibility, but at the same time, users must be aware of the hidden
security risks.
+
+The official version of Dubbo 2.7 provides the following registration centers:
+* Zookeeper
+* Redis
+* Nacos
+* Etcd
+* Consul
+* ...
+
+Starting from Dubbo 3.0, only the following registration centers are supported
by default:
+* Zookeeper
+* Nacos
+
+For the registration center, Dubbo can only fully trust the data pushed by it.
Therefore, if there is a security vulnerability in the registration center, the
Dubbo service may be maliciously registered or data may be maliciously pushed,
resulting in the service being attacked.
+Therefore, in order to ensure the security of the registration center, Dubbo
officially recommends that you:
+* Enable the authentication mechanism of the registration center, such as
Zookeeper's ACL mechanism, Nacos' username and password mechanism, etc.
+* Avoid exposing the registration center to the public network environment,
and try to deploy the registration center in a trusted intranet environment
diff --git a/content/en/overview/notices/serialization.md
b/content/en/overview/notices/serialization.md
new file mode 100644
index 00000000000..cd6cc250093
--- /dev/null
+++ b/content/en/overview/notices/serialization.md
@@ -0,0 +1,60 @@
+---
+title: "Serialization Security"
+linkTitle: "Serialization Security"
+weight: 1
+aliases:
+ - /zh-cn/blog/1/01/01/Serialization Protocol Security/
+description: "Use serialization protocol more safely in Dubbo"
+type: docs
+---
+
+# Overview
+
+Dubbo supports the extension of serialization protocols. In theory, users can
enable any serialization protocol based on this extension mechanism. This
brings great flexibility, but at the same time, users must be aware of the
hidden security risks.
+Data deserialization is the link most easily exploited by attackers, who use
it to perform RCE attacks to steal or destroy server-side data.
+Before switching serialization protocols or implementations, users should
fully investigate the security guarantees of the target serialization protocol
and its framework implementation, and set up corresponding security measures in
advance (such as setting up a black/white list).
+The Dubbo framework itself cannot directly guarantee the security of the
target serialization mechanism.
+
+The serialization protocols provided by the official version of Dubbo 2.7 are
as follows:
+* Hessian2
+* Fastjson
+* Kryo
+* FST
+* JDK
+* Protostuff
+* Protocol Buffers
+* Avro
+* Gson
+
+Starting from Dubbo 3.0, only the following serialization protocol support is
provided by default:
+* Hessian2
+* JDK
+* Protocol Buffers
+
+Starting from Dubbo 3.2, the following serialization protocol support is
provided by default:
+* Hessian2
+* Fastjson2
+* JDK
+* Protocol Buffers
+
+For security reasons, starting from Dubbo 3.3, only the following
serialization protocols will be supported by default:
+* Hessian2
+* Fastjson2
+* Protocol Buffers
+
+For the above serialization extensions, after discovering or receiving
relevant vulnerability reports, Dubbo officials will follow up and upgrade
dependencies to the latest security version, but the final vulnerability fix
depends on the serialization framework implementation.
+
+> For users using the [dubbo
hessian2](https://github.com/apache/dubbo-hessian-lite/releases) version, Dubbo
officials will ensure the security of the hessian2 serialization mechanism and
fix reported security vulnerabilities as much as possible
+
+In addition, starting from Dubbo version 3.2, the whitelist mechanism is
adopted by default for Hessian2 and Fastjson2. If you find that some data
processing has been removed, you can refer to
[Document](/zh-cn/overview/mannual/java-sdk/advanced-features-
and-usage/security/class-check/) to configure.
+
+# Full reinforcement
+
+In order to improve the security of application serialization as much as
possible, Dubbo 3.0 has upgraded and strengthened the security of the
serialization protocol. It is recommended to use the non-Wrapper mode of the
Tripe protocol.
+This protocol is secure by default, but requires developers to write IDL files.
+
+Triple protocol Wrapper mode allows compatibility with other serialized data,
providing good compatibility. However, other protocols may have deserialization
security flaws. For the Hessian2 protocol, users with high security attributes
should follow the sample code instructions to turn on the whitelist mode. The
framework will turn on the blacklist mode by default to intercept malicious
calls.
+
+If other serialization protocols must be used, a certain degree of security is
expected. The Token authentication mechanism should be enabled to prevent
unauthenticated and untrusted request sources from threatening Provider
security. When turning on the Token authentication mechanism, the
authentication function of the registration center should be turned on
simultaneously.
+
+[Reinforcement
reference](/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/)
diff --git a/content/zh-cn/blog/notices/_index.md
b/content/zh-cn/blog/notices/_index.md
deleted file mode 100755
index ee805477b62..00000000000
--- a/content/zh-cn/blog/notices/_index.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-title: "公告栏"
-linkTitle: "安全公告"
-description: "Dubbo 公告"
-weight: 1
----
-
diff --git a/content/zh-cn/blog/notices/serialization-security.md
b/content/zh-cn/blog/notices/serialization-security.md
deleted file mode 100644
index 932e9469920..00000000000
--- a/content/zh-cn/blog/notices/serialization-security.md
+++ /dev/null
@@ -1,17 +0,0 @@
----
-title: "序列化协议安全"
-linkTitle: "序列化协议安全"
-weight: 1
-tags: ["安全漏洞"]
-description: "在 Dubbo 中更安全的使用序列化协议"
----
-
-Dubbo3.0在序列化协议安全方面进行了升级加固,推荐使用Tripe协议非Wrapper模式。
-该协议默认安全,但需要开发人员编写IDL文件。
-
-
-Triple协议Wrapper模式下,允许兼容其它序列化数据,提供了良好的兼容性。但其它协议可能存在反序列化安全缺陷,对于Hession2协议,高安全属性用户应当按照samples代码指示,开启白名单模式,框架默认会开启黑名单模式,拦截恶意调用。
-
-不建议使用其它序列化协议,当攻击者可访问Provider接口时,其它序列化协议的安全缺陷,可能导致 Povider 接口命令执行。
-
-若必须使用其它序列化协议,同时希望具备一定安全性。应当开启Token鉴权机制,防止未鉴权的不可信请求来源威胁Provider的安全性。开启Token鉴权机制时,应当同步开启注册中心的鉴权功能。
diff --git a/content/zh-cn/overview/notices/_index.md
b/content/zh-cn/overview/notices/_index.md
new file mode 100755
index 00000000000..a65d7dede1e
--- /dev/null
+++ b/content/zh-cn/overview/notices/_index.md
@@ -0,0 +1,10 @@
+---
+title: "安全公告"
+linkTitle: "安全公告"
+description: "Dubbo 安全公告"
+aliases:
+ - /zh-cn/blog/notices/
+weight: 50
+type: docs
+---
+
diff --git a/content/zh-cn/blog/notices/security.md
b/content/zh-cn/overview/notices/log4j.md
similarity index 66%
rename from content/zh-cn/blog/notices/security.md
rename to content/zh-cn/overview/notices/log4j.md
index 6006b01e08f..a2e670a1cc7 100755
--- a/content/zh-cn/blog/notices/security.md
+++ b/content/zh-cn/overview/notices/log4j.md
@@ -1,14 +1,14 @@
---
-title: "安全漏洞"
-linkTitle: "安全漏洞"
-description: "安全漏洞说明"
-tags: ["安全漏洞"]
+title: "Log4j 漏洞影响"
+linkTitle: "Log4j 漏洞影响"
+description: "Log4j CVE-2021-44228 漏洞影响"
+aliases:
+- /zh-cn/blog/1/01/01/安全漏洞/
weight: 90
+type: docs
---
-## 1. Log4j CVE-2021-44228 漏洞
-
最近,主流日志组件 [log4j2](https://logging.apache.org/log4j/2.x/) 爆出[安全漏洞
CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)。
以下是漏洞 CVE-2021-44228 对 Apache Dubbo 框架的影响总结及用户应对指南。
@@ -51,23 +51,3 @@ Dubbo 本身不强依赖 log4j2 框架,也不会通过依赖传递将 log4j2
[INFO] \- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
```
-
-
-## 2. 序列化
-Dubbo 支持序列化协议的扩展,理论上用户可以基于该扩展机制启用任意的序列化协议,这带来了极大的灵活的,但同时也要意识到其中潜藏的安全性风险。
-数据反序列化是最容易被被攻击者利用的一个环节,攻击者利用它执行 RCE 攻击等窃取或破坏服务端数据,用户在切换序列化协议或实现前,
-应充分调研目标序列化协议及其框架实现的安全性保障,并提前设置相应的安全措施(如设置黑/白名单)。Dubbo 框架自身并不能保证目标序列化机制的安全性。
-
-Dubbo 2.7 官方版本提供的序列化协议有如下几种:
-* Hessian2
-* Fastjson
-* Kryo
-* FST
-* JDK
-* Protostuff/Protobuf
-* Avro
-* Gson
-
-针对以上序列化扩展,在发现或收到相关的漏洞报告之后,Dubbo 官方会跟进并升级依赖到最新的安全版本,但最终的漏洞修复方案取决于序列化的框架实现。
-
-> 针对使用 [dubbo hessian2](https://github.com/apache/dubbo-hessian-lite/releases)
版本的用户,Dubbo 官方会保证hessian2序列化机制的安全性并尽可能的修复上报的安全漏洞
diff --git a/content/zh-cn/overview/notices/protocol.md
b/content/zh-cn/overview/notices/protocol.md
new file mode 100644
index 00000000000..3ba1d771b3b
--- /dev/null
+++ b/content/zh-cn/overview/notices/protocol.md
@@ -0,0 +1,34 @@
+---
+title: "RPC 协议安全"
+linkTitle: "RPC 协议安全"
+weight: 2
+type: docs
+description: "在 Dubbo 中更安全的使用 RPC 协议"
+---
+
+Dubbo 支持 RPC 协议的扩展,理论上用户可以基于该扩展机制启用任意的 RPC 协议,这带来了极大的灵活的,但同时也要意识到其中潜藏的安全性风险。
+
+Dubbo 2.7 官方版本提供的序列化协议有如下几种:
+* Dubbo
+* RMI
+* Hessian
+* Http / Rest
+* Webservice
+* Thrift
+* gRPC
+* ……
+
+从 Dubbo 3.0 开始默认仅提供以下序列化协议支持:
+* Dubbo
+* Triple / gRPC
+* Http / Rest
+
+对于 Triple、gRPC、Http、Rest 协议都是基于 HTTP 协议构建的,可以严格区分请求的格式,如 Header 为纯文本,避免在读取
Token 时带来的 RCE 等风险。
+对于 Dubbo 协议,由于其基于 TCP 二进制直接设计,除了特定几个字段外均使用序列化协议写入,因此如果开启了有风险的序列化协议,仍然会存在 RCE
等风险。
+对于 RMI 协议,由于其基于 Java 序列化机制,存在 RCE 等风险。
+对于 Hessian 协议,由于其基于 Hessian 序列化机制,且默认 Hessian 协议(非 Dubbo Shade 的 Hessian-Lite
协议)无法配置黑白名单且无默认黑名单,存在 RCE 等风险。
+
+(1)如果用户希望使用 Token 鉴权机制,防止未鉴权的不可信请求来源威胁 Provider 的安全性,应使用 Triple 等基于 Http
标准扩展的协议,避免 token 参数读取时的安全风险。
+
+(2)特别的,Dubbo 社区**非常不推荐**将 Dubbo 协议、RMI 协议、Hessian 协议等非基于 Http
标准扩展的协议暴露在公网环境下,因为 Dubbo 协议的设计初衷是为了在内网环境下提供高性能的 RPC 服务,而非公网环境下的服务。
+(3)如果您的应用有暴露公网访问的需求,Dubbo 社区建议您使用 Triple 协议,并且避免使用非 Protobuf 模式或者是基于 Dubbo 3.3
及以上的版本仅暴露标准 application/json 格式的服务。
diff --git a/content/zh-cn/overview/notices/registry.md
b/content/zh-cn/overview/notices/registry.md
new file mode 100644
index 00000000000..405ef404b9a
--- /dev/null
+++ b/content/zh-cn/overview/notices/registry.md
@@ -0,0 +1,26 @@
+---
+title: "注册中心安全"
+linkTitle: "注册中心安全"
+weight: 3
+type: docs
+description: "在 Dubbo 中更安全的使用注册中心"
+---
+
+Dubbo 支持注册中心的扩展,理论上用户可以基于该扩展机制启用任意的注册中心,这带来了极大的灵活的,但同时也要意识到其中潜藏的安全性风险。
+
+Dubbo 2.7 官方版本提供的注册中心有如下几种:
+* Zookeeper
+* Redis
+* Nacos
+* Etcd
+* Consul
+* ……
+
+从 Dubbo 3.0 开始默认仅提供以下注册中心支持:
+* Zookeeper
+* Nacos
+
+对于注册中心,Dubbo 只能完全信任其推送的数据,因此如果注册中心存在安全漏洞,可能会导致 Dubbo
服务被恶意注册或者是被恶意推送数据,从而导致服务被攻击。
+因此为了保证注册中心的安全性,Dubbo 官方建议您:
+* 开启注册中心的鉴权机制,如 Zookeeper 的 ACL 机制、Nacos 的用户名密码机制等
+* 避免将注册中心暴露在公网环境下,尽量将注册中心部署在可信内网环境下
diff --git a/content/zh-cn/overview/notices/serialization.md
b/content/zh-cn/overview/notices/serialization.md
new file mode 100644
index 00000000000..77fd0baeea9
--- /dev/null
+++ b/content/zh-cn/overview/notices/serialization.md
@@ -0,0 +1,60 @@
+---
+title: "序列化安全"
+linkTitle: "序列化安全"
+weight: 1
+type: docs
+aliases:
+ - /zh-cn/blog/1/01/01/序列化协议安全/
+description: "在 Dubbo 中更安全的使用序列化协议"
+---
+
+# 概述
+
+Dubbo 支持序列化协议的扩展,理论上用户可以基于该扩展机制启用任意的序列化协议,这带来了极大的灵活的,但同时也要意识到其中潜藏的安全性风险。
+数据反序列化是最容易被被攻击者利用的一个环节,攻击者利用它执行 RCE 攻击等窃取或破坏服务端数据。
+用户在切换序列化协议或实现前, 应充分调研目标序列化协议及其框架实现的安全性保障,并提前设置相应的安全措施(如设置黑/白名单)。
+Dubbo 框架自身并不能直接保证目标序列化机制的安全性。
+
+Dubbo 2.7 官方版本提供的序列化协议有如下几种:
+* Hessian2
+* Fastjson
+* Kryo
+* FST
+* JDK
+* Protostuff
+* Protocol Buffers
+* Avro
+* Gson
+
+从 Dubbo 3.0 开始默认仅提供以下序列化协议支持:
+* Hessian2
+* JDK
+* Protocol Buffers
+
+从 Dubbo 3.2 开始默认提供以下序列化协议支持:
+* Hessian2
+* Fastjson2
+* JDK
+* Protocol Buffers
+
+处于安全性考虑,从 Dubbo 3.3 开始将默认仅提供以下序列化协议支持:
+* Hessian2
+* Fastjson2
+* Protocol Buffers
+
+针对以上序列化扩展,在发现或收到相关的漏洞报告之后,Dubbo 官方会跟进并升级依赖到最新的安全版本,但最终的漏洞修复方案取决于序列化的框架实现。
+
+> 针对使用 [dubbo hessian2](https://github.com/apache/dubbo-hessian-lite/releases)
版本的用户,Dubbo 官方会保证hessian2序列化机制的安全性并尽可能的修复上报的安全漏洞
+
+此外,从 Dubbo 3.2 版本开始,对于 Hessian2 和 Fastjson2
默认采用白名单机制,如果您发现部分数据处理移除,可以参考[文档](/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/class-check/)进行配置。
+
+# 全面加固
+
+为了尽可能提高应用序列化的安全性,Dubbo3.0在序列化协议安全方面进行了升级加固,推荐使用 Tripe 协议的非 Wrapper 模式。
+该协议默认安全,但需要开发人员编写IDL文件。
+
+Triple 协议 Wrapper 模式下,允许兼容其它序列化数据,提供了良好的兼容性。但其它协议可能存在反序列化安全缺陷,对于 Hessian2
协议,高安全属性用户应当按照 samples 代码指示,开启白名单模式,框架默认会开启黑名单模式,拦截恶意调用。
+
+若必须使用其它序列化协议,同时希望具备一定安全性。应当开启Token鉴权机制,防止未鉴权的不可信请求来源威胁 Provider 的安全性。开启 Token
鉴权机制时,应当同步开启注册中心的鉴权功能。
+
+[加固参考](/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/security/)
diff --git a/layouts/partials/footer.html b/layouts/partials/footer.html
index 8c0163c2ead..e91a69fb633 100755
--- a/layouts/partials/footer.html
+++ b/layouts/partials/footer.html
@@ -34,7 +34,7 @@
<ul>
<li><a href="https://www.apache.org";>Foundation</a></li>
<li><a href="https://www.apache.org/licenses/";>License</a></li>
- <li><a
href="https://dubbo.apache.org/en/docs/notices/security/";>Security</a></li>
+ <li><a
href="https://dubbo.apache.org/en/overview/notices/";>Security</a></li>
<li><a href="https://www.apache.org/events/current-event";>Events</a></li>
<li><a
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li>
<li><a
href="https://privacy.apache.org/policies/privacy-policy-public.html";>Privacy</a></li>
